Enabling Authenticated Enrollment with IBM Endpoint Manager for Mobile Devices

The update of IBM Endpoint Manager for Mobile Devices last month included the new Authenticated Enrollment feature.   In the article below,  I’ll detail how you can easily enable this and configure user enrollment questions too.

MDM Architecture

Before you do, it’s a good idea to recap the overall MDM architecture once more.  You’ll already have your Endpoint Manager server running on your internal network and the Management Extender for iOS on a server in your DMZ (servers shown below in grey).   You’ll then want to have a very small server to run the Trusted Service Provider/Self-Service Portal components as highlighted in green below  (I’ll cover the Self-Service Portal in a future post).  Whilst I don’t see any reason why these new services couldn’t also run on your TEM server, you’d need to ensure you don’t have a possible clash with Web Reports running on port 80.   For larger environments a dedicated server would be preferable.   Ensure you’ve made any DMZ firewall rules as required.

Enabling Authenticated Enrollment

By default, devices can be managed by MDM without any authentication.  You can now restrict access to your MDM deployment to only authenticated users who log in with a username and password from an LDAP/Active Directory service.

Start with the Setup and Configuration Wizard, and open Install Additional MDM Features.  The Enrollment Server comes installed automatically on the Management Extender for iOS.   So Step 1) and 2) will already be completed from your updated you completed here.

Next, click on Deploy Trusted Service Provider,  which will present you with the following window:

Select the server which will host the Trusted Service Provider service (in my case IEMMDMSP1)

The IEM Server will then automatically download the required files from the Internet as shown below.

In about five minutes in my test environment, the installation was complete and the server was in a Pending Restart status.   The install seemed to have completed just fine, so just to be sure all was ok,  I restarted my server.  Maybe I should have been more patient and waited, but all was ok.  After the server restarted the status updated to Completed.

Next I configured the enrollment as shown below.   Note for my Active Directory server (dc1.home.int)  I deselected SSL and entered the Login Attribute of userPrincipalName.   Ensure you test your settings.   When you click on Configure Authenticated Enrollment, it took a minute or two for this to be all setup on the Management Extender for iOS server.

So, once all this has been setup when you enroll your iOS device you’ll now be asked to authenticate as shown below  (where I’m entering in my Active Directory user account and password)

Custom Enrollment Questions

Finally, you can also present the user with a range of Custom Enrollment Questions, such as where they work, department ID, accepting an End User License Agreement (EULA).   Questions can be presented with links, checkboxes, radio buttons etc.  An example list of questions are shown below:

This is then presented to the user as shown below:

This information is then visible to the administrator in the console as follows:

So all done!  You now have authenticated enrollment up and running.   If you have any queries or feedback, please post them on the developerWorks forum here.


One Reply to “Enabling Authenticated Enrollment with IBM Endpoint Manager for Mobile Devices”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s